Simple Bind Authentication

Simple bind authentication is the most common way to authenticate LDAP clients. In
a simple bind, the client either binds anonymously, that is, with an empty
bind DN, or by providing a DN and a password. Directory Proxy
Server binds to a data source to validate the credentials and to authenticate
the client. An entry for the client must exist on the data source,
otherwise the client is considered to be anonymous. When a client is authenticated,
Directory Proxy Server records the identity of the client.

Directory Proxy Server is configured for simple bind authentication by default. No additional
configuration is required. Because the client provides a password to Directory Proxy Server,
simple bind authentication is also known as password-based authentication.

For LDAP data views, Directory Proxy Server relies on the backend LDAP
server for password encryption and verification. When a client modifies a password by using
an ADD or MODIFY operation, the backend LDAP server can apply a
password encryption policy when it stores the password. When the client issues a
BIND request, the backend LDAP server is responsible for verifying the password.

For LDIF and JDBC data views, Directory Proxy Server is responsible for password
encryption and verification. When a client modifies a password, Directory Proxy Server applies
the encryption policy defined by the db-pwd-encryption property of the data view. The
encryption policy can be PLAIN, SHA, SSHA or SHA512. The password is still
stored in the data source, that is, in the LDIF file or JDBC
database. By default, passwords are encrypted using SSHA.

When encrypted passwords are stored, the encrypted value is prefixed by the encryption
policy. So for example, a stored, encrypted password might look like {SSHA}mcasopjebjakiue or
{SHA}askjdlaijfbnja. When the client issues a BIND request, Directory Proxy Server verifies the
password and expects the encryption policy tag.